MDEV-7597 Expiration of user passwords

post-merge changes: * handle password expiration on old tables like everything else - make changes in memory, even if they cannot be done on disk * merge "debug" tests with non-debug tests, they don't use dbug anyway * only run rpl password expiration in MIXED mode, it doesn't replicate anything, so no need to repeat it thrice * restore update_user_table_password() prototype, it should not change ACL_USER, this is done in acl_user_update() * don't parse json twice in get_password_lifetime and get_password_expired * remove LEX_USER::is_changing_password, see if there was any auth instead * avoid overflow in expiration calculations * don't initialize Account_options in the constructor, it's bzero-ed later * don't create ulong sysvars - they're not portable, prefer uint or ulonglong * misc simplifications

MDEV-7597 Expiration of user passwords
post-merge changes: * handle password expiration on old tables like everything else - make changes in memory, even if they cannot be done on disk * merge "debug" tests with non-debug tests, they don't use dbug anyway * only run rpl password expiration in MIXED mode, it doesn't replicate anything, so no need to repeat it thrice * restore update_user_table_password() prototype, it should not change ACL_USER, this is done in acl_user_update() * don't parse json twice in get_password_lifetime and get_password_expired * remove LEX_USER::is_changing_password, see if there was any auth instead * avoid overflow in expiration calculations * don't initialize Account_options in the constructor, it's bzero-ed later * don't create ulong sysvars - they're not portable, prefer uint or ulonglong * misc simplifications
1e621016 · Sergei Golubchik · 90ad4dbd · 1e621016 · 1e621016 · 1e621016
Commit 1e621016 authored Feb 18, 2019 by Sergei Golubchik
21 changed files
--- a/mysql-test/main/mysql_upgrade.result
+++ b/mysql-test/main/mysql_upgrade.result
@@ -596,7 +596,7 @@ drop view mysql.user_bak;
 create user 'user3'@'localhost' identified with mysql_native_password as password('a_password');
 show create user user3@localhost;
 CREATE USER for user3@localhost
-CREATE USER 'user3'@'localhost' IDENTIFIED BY PASSWORD '*5DC1D11F45824A9DD613961F05C1EC1E7A1601AA' PASSWORD EXPIRE NEVER
+CREATE USER 'user3'@'localhost' IDENTIFIED BY PASSWORD '*5DC1D11F45824A9DD613961F05C1EC1E7A1601AA'
 update mysql.user set password=authentication_string, authentication_string='' where user='user3';
 select password,plugin,authentication_string from mysql.user where user='user3';
 password	plugin	authentication_string

--- a/mysql-test/main/password_expiration.result
+++ b/mysql-test/main/password_expiration.result
@@ -141,7 +141,7 @@ ERROR HY000: Incorrect DAY value: '0'
 create user user1@localhost;
 show create user user1@localhost;
 CREATE USER for user1@localhost
-CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
+CREATE USER 'user1'@'localhost'
 flush privileges;
 show create user user1@localhost;
 CREATE USER for user1@localhost
@@ -158,7 +158,7 @@ set password for user1@localhost= password('');
 alter user user1@localhost password expire default;
 show create user user1@localhost;
 CREATE USER for user1@localhost
-CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
+CREATE USER 'user1'@'localhost'
 flush privileges;
 show create user user1@localhost;
 CREATE USER for user1@localhost
@@ -174,7 +174,7 @@ CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
 alter user user1@localhost password expire interval 123 day;
 show create user user1@localhost;
 CREATE USER for user1@localhost
-CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
+CREATE USER 'user1'@'localhost' PASSWORD EXPIRE INTERVAL 123 DAY
 flush privileges;
 show create user user1@localhost;
 CREATE USER for user1@localhost
@@ -205,3 +205,55 @@ connection default;
 drop user user1@localhost;
 set global disconnect_on_expired_password=default;
 set global default_password_lifetime=default;
+#
+# PASSWORD EXPIRE DEFAULT should use the default_password_lifetime
+# system var to set the number of days till expiration
+#
+set global disconnect_on_expired_password= ON;
+set global default_password_lifetime= 2;
+create user user1@localhost password expire default;
+set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
+update mysql.global_priv set
+priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
+where user='user1';
+flush privileges;
+connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
+connect con1,localhost,user1;
+ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
+drop user user1@localhost;
+#
+# PASSWORD EXPIRE INTERVAL should expire a client's password after
+# X days and not before
+#
+set global disconnect_on_expired_password= ON;
+create user user1@localhost password expire interval 2 day;
+connect con1,localhost,user1;
+disconnect con1;
+connection default;
+set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
+update mysql.global_priv set
+priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
+where user='user1';
+flush privileges;
+connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
+connect con1,localhost,user1;
+ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
+drop user user1@localhost;
+#
+# PASSWORD EXPIRE NEVER should override the other policies and never
+# expire a client's password
+#
+set global disconnect_on_expired_password= ON;
+create user user1@localhost password expire interval 2 day;
+alter user user1@localhost password expire never;
+set @tstamp_expired= UNIX_TIMESTAMP() - 3;
+update mysql.global_priv set
+priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
+where user='user1';
+flush privileges;
+connect con1,localhost,user1;
+disconnect con1;
+connection default;
+drop user user1@localhost;
+set global disconnect_on_expired_password= default;
+set global default_password_lifetime= default;
--- a/mysql-test/main/password_expiration.test
+++ b/mysql-test/main/password_expiration.test
@@ -194,3 +194,70 @@ set global disconnect_on_expired_password=default;
 set global default_password_lifetime=default;
 --source include/switch_to_mysql_global_priv.inc
+#
+# Test password expiration INTERVAL and default_password_lifetime options
+#
+--echo #
+--echo # PASSWORD EXPIRE DEFAULT should use the default_password_lifetime
+--echo # system var to set the number of days till expiration
+--echo #
+set global disconnect_on_expired_password= ON;
+set global default_password_lifetime= 2;
+create user user1@localhost password expire default;
+set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
+update mysql.global_priv set
+    priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
+    where user='user1';
+flush privileges;
+--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
+--error ER_MUST_CHANGE_PASSWORD_LOGIN
+connect(con1,localhost,user1);
+drop user user1@localhost;
+--echo #
+--echo # PASSWORD EXPIRE INTERVAL should expire a client's password after
+--echo # X days and not before
+--echo #
+set global disconnect_on_expired_password= ON;
+create user user1@localhost password expire interval 2 day;
+--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
+connect(con1,localhost,user1);
+disconnect con1;
+connection default;
+set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
+update mysql.global_priv set
+    priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
+    where user='user1';
+flush privileges;
+--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
+--error ER_MUST_CHANGE_PASSWORD_LOGIN
+connect(con1,localhost,user1);
+drop user user1@localhost;
+--echo #
+--echo # PASSWORD EXPIRE NEVER should override the other policies and never
+--echo # expire a client's password
+--echo #
+set global disconnect_on_expired_password= ON;
+create user user1@localhost password expire interval 2 day;
+alter user user1@localhost password expire never;
+set @tstamp_expired= UNIX_TIMESTAMP() - 3;
+update mysql.global_priv set
+    priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
+    where user='user1';
+flush privileges;
+--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
+connect(con1,localhost,user1);
+disconnect con1;
+connection default;
+drop user user1@localhost;
+set global disconnect_on_expired_password= default;
+set global default_password_lifetime= default;
--- a/mysql-test/main/password_expiration_dbug.result
+++ b/mysql-test/main/password_expiration_dbug.result
-set @old_dbug= @@global.debug_dbug;
-set global debug_dbug= "+d,password_expiration_interval_sec";
-#
-# PASSWORD EXPIRE DEFAULT should use the default_password_lifetime 
-# system var to set the number of days till expiration
-#
-set global disconnect_on_expired_password= ON;
-set global default_password_lifetime= 2;
-create user user1@localhost password expire default;
-set @tstamp_expired= UNIX_TIMESTAMP() - 3;
-update mysql.global_priv set
-priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
-where user='user1';
-flush privileges;
-connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
-connect con1,localhost,user1;
-ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
-drop user user1@localhost;
-#
-# PASSWORD EXPIRE INTERVAL should expire a client's password after
-# X seconds and not before
-#
-set global disconnect_on_expired_password= ON;
-create user user1@localhost password expire interval 2 day;
-connect con1,localhost,user1;
-disconnect con1;
-connection default;
-set @tstamp_expired= UNIX_TIMESTAMP() - 3;
-update mysql.global_priv set
-priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
-where user='user1';
-flush privileges;
-connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
-connect con1,localhost,user1;
-ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
-drop user user1@localhost;
-#
-# PASSWORD EXPIRE NEVER should override the other policies and never
-# expire a client's password
-#
-set global disconnect_on_expired_password= ON;
-create user user1@localhost password expire interval 2 day;
-alter user user1@localhost password expire never;
-set @tstamp_expired= UNIX_TIMESTAMP() - 3;
-update mysql.global_priv set
-priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
-where user='user1';
-flush privileges;
-connect con1,localhost,user1;
-disconnect con1;
-connection default;
-drop user user1@localhost;
-set global debug_dbug= @old_dbug;
-set global disconnect_on_expired_password= default;
-set global default_password_lifetime= default;
--- a/mysql-test/main/password_expiration_dbug.test
+++ b/mysql-test/main/password_expiration_dbug.test
-#
-# Test password expiration INTERVAL and default_password_lifetime options
-#
--source include/have_debug.inc
--source include/not_embedded.inc
-set @old_dbug= @@global.debug_dbug;
-set global debug_dbug= "+d,password_expiration_interval_sec";
--echo #
--echo # PASSWORD EXPIRE DEFAULT should use the default_password_lifetime 
--echo # system var to set the number of days till expiration
--echo #
-set global disconnect_on_expired_password= ON;
-set global default_password_lifetime= 2;
-create user user1@localhost password expire default;
-set @tstamp_expired= UNIX_TIMESTAMP() - 3;
-update mysql.global_priv set
-    priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
-    where user='user1';
-flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_MUST_CHANGE_PASSWORD_LOGIN
-connect(con1,localhost,user1);
-drop user user1@localhost;
--echo #
--echo # PASSWORD EXPIRE INTERVAL should expire a client's password after
--echo # X seconds and not before
--echo #
-set global disconnect_on_expired_password= ON;
-create user user1@localhost password expire interval 2 day;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
-connect(con1,localhost,user1);
-disconnect con1;
-connection default;
-set @tstamp_expired= UNIX_TIMESTAMP() - 3;
-update mysql.global_priv set
-    priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
-    where user='user1';
-flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_MUST_CHANGE_PASSWORD_LOGIN
-connect(con1,localhost,user1);
-drop user user1@localhost;
--echo #
--echo # PASSWORD EXPIRE NEVER should override the other policies and never
--echo # expire a client's password
--echo #
-set global disconnect_on_expired_password= ON;
-create user user1@localhost password expire interval 2 day;
-alter user user1@localhost password expire never;
-set @tstamp_expired= UNIX_TIMESTAMP() - 3;
-update mysql.global_priv set
-    priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
-    where user='user1';
-flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
-connect(con1,localhost,user1);
-disconnect con1;
-connection default;
-drop user user1@localhost;
-set global debug_dbug= @old_dbug;
-set global disconnect_on_expired_password= default;
-set global default_password_lifetime= default;
--- a/mysql-test/suite/funcs_1/r/is_user_privileges.result
+++ b/mysql-test/suite/funcs_1/r/is_user_privileges.result
@@ -92,8 +92,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -101,8 +100,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -110,8 +108,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 #
 # Add GRANT OPTION db_datadict.* to testuser1;
@@ -143,8 +140,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -152,8 +148,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -161,8 +156,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 connect  testuser1, localhost, testuser1, , db_datadict;
 SELECT * FROM information_schema.user_privileges
@@ -180,8 +174,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -189,8 +182,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -198,8 +190,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 SHOW GRANTS;
 Grants for testuser1@localhost
@@ -239,8 +230,7 @@ json_detailed(priv)	{
    "access": 1,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -248,8 +238,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -257,8 +246,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 GRANT SELECT ON *.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
 #
@@ -290,8 +278,7 @@ json_detailed(priv)	{
    "access": 1025,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -299,8 +286,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -308,8 +294,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 connection testuser1;
 SELECT * FROM information_schema.user_privileges
@@ -327,8 +312,7 @@ json_detailed(priv)	{
    "access": 1025,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -336,8 +320,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -345,8 +328,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 SHOW GRANTS;
 Grants for testuser1@localhost
@@ -416,8 +398,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -425,8 +406,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -434,8 +414,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 connection testuser1;
 SELECT * FROM information_schema.user_privileges
@@ -500,8 +479,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -509,8 +487,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -518,8 +495,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 connection testuser1;
 SELECT * FROM information_schema.user_privileges
@@ -537,8 +513,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -546,8 +521,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -555,8 +529,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 SHOW GRANTS;
 Grants for testuser1@localhost
@@ -581,8 +554,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -590,8 +562,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -599,8 +570,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 SHOW GRANTS;
 Grants for testuser1@localhost
@@ -640,8 +610,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser2
@@ -649,8 +618,7 @@ json_detailed(priv)	{
    "access": 6,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 host	localhost
 user	testuser3
@@ -658,8 +626,7 @@ json_detailed(priv)	{
    "access": 0,
    "plugin": "mysql_native_password",
    "authentication_string": "",
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 connection testuser1;
 SELECT * FROM information_schema.user_privileges

--- a/mysql-test/suite/funcs_1/t/is_user_privileges.test
+++ b/mysql-test/suite/funcs_1/t/is_user_privileges.test
@@ -103,7 +103,7 @@ WHERE user LIKE 'testuser%' ORDER BY host, user;
 let $my_show= SHOW GRANTS;
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
@@ -112,7 +112,7 @@ eval $my_select2;
 GRANT UPDATE ON db_datadict.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
@@ -120,7 +120,7 @@ eval $my_select2;
 connect (testuser1, localhost, testuser1, , db_datadict);
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
 eval $my_show;
@@ -134,7 +134,7 @@ GRANT SELECT ON *.* TO 'testuser1'@'localhost';
 --echo # Here <SELECT NO> is shown correctly for testuser1;
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
@@ -143,7 +143,7 @@ GRANT SELECT ON *.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
 --echo # Here <SELECT YES> is shown correctly for testuser1;
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
@@ -151,7 +151,7 @@ eval $my_select2;
 connection testuser1;
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
 eval $my_show;
@@ -180,7 +180,7 @@ connection default;
 REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'testuser1'@'localhost';
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
@@ -213,14 +213,14 @@ GRANT ALL ON db_datadict.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
 GRANT SELECT ON mysql.global_priv TO 'testuser1'@'localhost';
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
 connection testuser1;
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
 eval $my_show;
@@ -233,7 +233,7 @@ CREATE TABLE db_datadict.tb_56 ( c1 TEXT );
 USE db_datadict;
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results
 eval $my_show;
@@ -248,7 +248,7 @@ connection default;
 REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'testuser1'@'localhost';
 --vertical_results
 eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 eval $my_select2;
 --horizontal_results

--- a/mysql-test/suite/plugins/r/multiauth.result
+++ b/mysql-test/suite/plugins/r/multiauth.result
@@ -123,8 +123,7 @@ json_detailed(priv)
        {
        }
    ],
-    "password_last_changed": 0,
+    "password_last_changed": #
-    "password_lifetime": -1
 }
 select password,plugin,authentication_string from mysql.user where user='mysqltest1';
 Password	plugin	authentication_string

--- a/mysql-test/suite/plugins/t/multiauth.test
+++ b/mysql-test/suite/plugins/t/multiauth.test
@@ -130,7 +130,7 @@ drop user mysqltest1;
 #
 create user mysqltest1 identified via ed25519 as password("good") OR unix_socket OR mysql_native_password as password("works");
 show grants for mysqltest1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
+--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
 select json_detailed(priv) from mysql.global_priv where user='mysqltest1';
 select password,plugin,authentication_string from mysql.user where user='mysqltest1';
 flush privileges;

--- a/mysql-test/main/rpl_expired_pass.result
+++ b/mysql-test/main/rpl_expired_pass.result
--- a/mysql-test/main/rpl_expired_pass.test
+++ b/mysql-test/main/rpl_expired_pass.test
@@ -4,6 +4,7 @@
 #
 --source include/not_embedded.inc
+--source include/have_binlog_format_mixed.inc
 --source include/master-slave.inc
 --connection slave

--- a/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
@@ -718,7 +718,7 @@ GLOBAL_VALUE	0
 GLOBAL_VALUE_ORIGIN	COMPILE-TIME
 DEFAULT_VALUE	0
 VARIABLE_SCOPE	GLOBAL
-VARIABLE_TYPE	BIGINT UNSIGNED
+VARIABLE_TYPE	INT UNSIGNED
 VARIABLE_COMMENT	This defines the global password expiration policy. 0 means automatic password expiration is disabled. If the value is a positive integer N, the passwords must be changed every N days. This behavior can be overriden using the password expiration options in ALTER USER.
 NUMERIC_MIN_VALUE	0
 NUMERIC_MAX_VALUE	4294967295

--- a/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
+++ b/mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
@@ -732,7 +732,7 @@ GLOBAL_VALUE	0
 GLOBAL_VALUE_ORIGIN	COMPILE-TIME
 DEFAULT_VALUE	0
 VARIABLE_SCOPE	GLOBAL
-VARIABLE_TYPE	BIGINT UNSIGNED
+VARIABLE_TYPE	INT UNSIGNED
 VARIABLE_COMMENT	This defines the global password expiration policy. 0 means automatic password expiration is disabled. If the value is a positive integer N, the passwords must be changed every N days. This behavior can be overriden using the password expiration options in ALTER USER.
 NUMERIC_MIN_VALUE	0
 NUMERIC_MAX_VALUE	4294967295

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -511,7 +511,7 @@ ulong feature_files_opened_with_delayed_keys= 0, feature_check_constraint= 0;
 ulonglong denied_connections;
 my_decimal decimal_zero;
 long opt_secure_timestamp;
-ulong default_password_lifetime;
+uint default_password_lifetime;
 my_bool disconnect_on_expired_password;
 /*

--- a/sql/mysqld.h
+++ b/sql/mysqld.h
@@ -310,7 +310,7 @@ extern my_bool encrypt_tmp_disk_tables, encrypt_tmp_files;
 extern ulong encryption_algorithm;
 extern const char *encryption_algorithm_names[];
 extern long opt_secure_timestamp;
-extern ulong default_password_lifetime;
+extern uint default_password_lifetime;
 extern my_bool disconnect_on_expired_password;
 enum secure_timestamp { SECTIME_NO, SECTIME_SUPER, SECTIME_REPL, SECTIME_YES };

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
--- a/sql/sql_lex.h
+++ b/sql/sql_lex.h
@@ -2955,14 +2955,14 @@ class Delete_plan : public Update_plan
 enum account_lock_type
 {
-  ACCOUNTLOCK_UNSPECIFIED,
+  ACCOUNTLOCK_UNSPECIFIED= 0,
  ACCOUNTLOCK_LOCKED,
  ACCOUNTLOCK_UNLOCKED
 };
 enum password_exp_type
 {
-  PASSWORD_EXPIRE_UNSPECIFIED,
+  PASSWORD_EXPIRE_UNSPECIFIED= 0,
  PASSWORD_EXPIRE_NOW,
  PASSWORD_EXPIRE_NEVER,
  PASSWORD_EXPIRE_DEFAULT,
@@ -2971,11 +2971,7 @@ enum password_exp_type
 struct Account_options: public USER_RESOURCES
 {
-  Account_options()
+  Account_options() { }
-    : account_locked(ACCOUNTLOCK_UNSPECIFIED)
-    , password_expire(PASSWORD_EXPIRE_UNSPECIFIED)
-    , num_expiration_days(0)
-  { }
  void reset()
  {

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -8061,17 +8061,9 @@ opt_password_expiration:
          }
        | PASSWORD_SYM EXPIRE_SYM INTERVAL_SYM NUM DAY_SYM
          {
-            int error;
-            longlong interval= my_strtoll10($4.str, (char**) 0, &error);
-            if (!interval)
-            {
-              char num[MAX_BIGINT_WIDTH + 1];
-              my_snprintf(num, sizeof(num), "%lu", interval);
-              my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", num));
-            }
            Lex->account_options.password_expire= PASSWORD_EXPIRE_INTERVAL;
-            Lex->account_options.num_expiration_days= interval;
+            if (!(Lex->account_options.num_expiration_days= atoi($4.str)))
+              my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", $4.str));
          }
        ;
@@ -17300,25 +17292,21 @@ grant_user:
            $$= $1;
            $1->auth= new (thd->mem_root) USER_AUTH();
            $1->auth->pwtext= $4;
-            $1->is_changing_password= true;
          }
        | user IDENTIFIED_SYM BY PASSWORD_SYM TEXT_STRING
          { 
            $$= $1; 
            $1->auth= new (thd->mem_root) USER_AUTH();
            $1->auth->auth_str= $5;
-            $1->is_changing_password= true;
          }
        | user IDENTIFIED_SYM via_or_with auth_expression
          {
            $$= $1;
            $1->auth= $4;
-            $1->is_changing_password= false;
          }
        | user_or_role
          {
            $$= $1;
-            $1->is_changing_password= false;
          }
        ;

--- a/sql/sql_yacc_ora.yy
+++ b/sql/sql_yacc_ora.yy
@@ -8091,17 +8091,9 @@ opt_password_expiration:
          }
        | PASSWORD_SYM EXPIRE_SYM INTERVAL_SYM NUM DAY_SYM
          {
-            int error;
-            longlong interval= my_strtoll10($4.str, (char**) 0, &error);
-            if (!interval)
-            {
-              char num[MAX_BIGINT_WIDTH + 1];
-              my_snprintf(num, sizeof(num), "%lu", interval);
-              my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", num));
-            }
            Lex->account_options.password_expire= PASSWORD_EXPIRE_INTERVAL;
-            Lex->account_options.num_expiration_days= interval;
+            if (!(Lex->account_options.num_expiration_days= atoi($4.str)))
+              my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", $4.str));
          }
        ;
@@ -17438,25 +17430,21 @@ grant_user:
            $$= $1;
            $1->auth= new (thd->mem_root) USER_AUTH();
            $1->auth->pwtext= $4;
-            $1->is_changing_password= true;
          }
        | user IDENTIFIED_SYM BY PASSWORD_SYM TEXT_STRING
          { 
            $$= $1; 
            $1->auth= new (thd->mem_root) USER_AUTH();
            $1->auth->auth_str= $5;
-            $1->is_changing_password= true;
          }
        | user IDENTIFIED_SYM via_or_with auth_expression
          {
            $$= $1;
            $1->auth= $4;
-            $1->is_changing_password= false;
          }
        | user_or_role
          {
            $$= $1;
-            $1->is_changing_password= false;
          }
        ;

--- a/sql/structs.h
+++ b/sql/structs.h
@@ -255,7 +255,6 @@ struct AUTHID
 struct LEX_USER: public AUTHID
 {
  USER_AUTH *auth;
-  bool is_changing_password;
  bool has_auth()
  {
    return auth && (auth->plugin.length || auth->auth_str.length || auth->pwtext.length);

--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -1517,7 +1517,7 @@ static Sys_var_ulong Sys_max_connections(
       DEFAULT(MAX_CONNECTIONS_DEFAULT), BLOCK_SIZE(1), NO_MUTEX_GUARD,
       NOT_IN_BINLOG, ON_CHECK(0), ON_UPDATE(fix_max_connections));
-static Sys_var_ulong Sys_default_password_lifetime(
+static Sys_var_uint Sys_default_password_lifetime(
       "default_password_lifetime",
       "This defines the global password expiration policy. 0 means "
       "automatic password expiration is disabled. If the value is a "